Search form

Search form

Zero trust security

Make it possible

Android Marcher now posing as Super Mario Run

Attackers seek to use the game's popularity to spread malware

By:Viral Gandhi

January 05, 2017

Mobile

Android Marcher now posing as Super Mario Run

Nintendo recently released Super Mario Run for the iOS platform. In no time, the game became a sensational hit on the iTunes store. However, there is not yet an Android version and there has been no official news on such a release. Attackers are taking advantage of the game's popularity, spreading malware posing as an Android version of Super Mario Run.

The ThreatLabZ team wrote about a similar scam that occurred during the release of another wildly popular Niantic game, Pokemon GO. Like that scam, the new Android Marcher Trojan is disguised as the Super Mario Run app and attempts to trick users with fake finance apps and a credit card page in an effort to capture banking details.

Marcher history

Marcher is a sophisticated banking malware strain that targets a wide variety of banking and financial apps and credit cards by presenting fake overlay pages. Once the user's mobile device has been infected, the malware waits for victims to open one of its targeted apps and then presents the fake overlay page asking for banking details. Unsuspecting victims will provide the details that will be harvested and sent out to to the malware's command and control (C&C) server. We have seen this malware evolve and take advantage of recent trends in order to target a large number of users. We have covered similar campaigns in the past related to Marcher malware here and here.

Technical details

In this new strain, the Marcher malware is disguised as the Super Mario Run app for Android. Knowing that Android users are eagerly awaiting this game, the malware will attempt to present a fake web page promoting its release.

Upon installation, the malware asks for multiple permissions including administrative rights as shown below.

Fig. 1: Permissions

In previous variants of Marcher, we observed this malware family targeting well-known Australian, UK, and French banks. The current version is targeting account management apps as well as well-known banks. The following is a code snippet showing sample targeted apps:

Like previous Marcher variants, the current version also presents fake credit card pages once an infected victim opens the Google Play store. The malware locks out Google Play until the user supplies the credit card information as shown below:

Fig. 3: Fake credit card page

However, the banking overlay pages served by the C&C were not functioning properly at the time of this writing. We suspect that the malware variant is still under development.

Fig. 4: Error page

In the current variant, we have observed a new obfuscation technique, in which all important string characters are delimited with '<<zB5>>' as shown below.

Fig. 5: Encoded strings

The code snippet below shows the hardcoded C&C location.

Fig. 6: C&C location

Conclusion

Android Marcher has been around since 2013 and continues to actively target mobile users' financial information. To avoid becoming a victim of such malware, it is a good practice to download apps only from trusted app stores such as Google Play. This practice can be enforced by unchecking the "Unknown Sources" option under the "Security" settings of your device.

Zscaler ThreatLabZ is actively monitoring this variant of the Android Marcher malware to ensure that Zscaler customers are protected.